Security shortages exacerbating breaches
The sixth Global Information Security Workforce Study, conducted by (ISC)² shows that a shortage of information security professionals is having an adverse impact on healthcare and other industries, even as vulnerabilities such as mobile devices and social media are on the rise.
The (ISC)² study, conducted in partnership with Booz Allen Hamilton and Frost & Sullivan, examined security practices across many industries. One of its key findings is that more than two-thirds of chief information security officers say they're short-staffed – leading to an increased threat of expensive breaches.
"Now, more than ever before, we’re seeing an economic ripple effect occurring across the globe as a result of the dire shortage of qualified information security professionals we’ve been experiencing in recent years," said W. Hord Tipton, executive director of (ISC)² in a statement.
"More and more enterprises are being breached," he added. "We must focus on building a skilled and qualified security workforce that is equipped to handle today’s and tomorrow’s most sophisticated cyber threats."
The GISWS indicates big shortages of software development professionals trained in security, and finds that application security vulnerabilities still rank highest among security concerns, across all industries.
Threats from malware and mobile devices are at the top of the list; cloud security, bring your own device and social networking are all also reported as major concerns in terms of newer security threats on the horizon.
Among the study's other findings:
- Information security professionals are enjoying stable employment. More than 80 percent of respondents reported no change in employer or employment in the last year, and 58 percent reported receiving a raise in the last year.
- New skills, deepening knowledge and a wider range of technologies are needed, however, according to (ISC)². Addressing the risks in BYOD and cloud computing, requires a new security approach. More than three-quarters (78 percent) of respondents said BYOD technology is a significant security risk, and 74 percent reported that new security skills are required to meet the BYOD challenge. More than two-thirds (68 percent) reported social media is a security concern, with content filtering being the chief security measure used.
- Application vulnerabilities rank the highest among security concerns, yet most organizations are not prioritizing secure software development, according to the report. Nearly half of security organizations are not involved in software development, and security is not among the most important factors when considering an outsourcing provider for software development, yet 69 percent reported application vulnerabilities as their top concern.
- Security priorities vary depending on the industry. While most banking, insurance and finance companies feared damage to their organizations’ reputations, in healthcare most respondents said patient privacy violations were their top concern.
- Security incident preparedness is showing signs of strain, with just 28 percent of respondents reporting that their organizations can remediate from a targeted attack within a day. More than 40 percent said addressing damage could take up to a week.
"Security is an organization-wide responsibility, with information security professionals serving as the beacon of knowledge and security stewardship," said Frost & Sullivan researcher Michael Suby, author of the report.
"Information security professionals are constantly on the front lines, having to adapt to an ever-changing threat and IT landscape," he added. "They are also in a strategic position to educate business leaders as to why and how security is critical to all areas of the business ... If we continue to let this skills gap grow, the economy will undoubtedly suffer."
[See also: Security issues can’t be ‘swept under the rug’ ]